business objects sec
TRANSCRIPT
-
8/8/2019 Business Objects Sec
1/100
BusinessObjects Planning 5.2
Configuring Security
-
8/8/2019 Business Objects Sec
2/100
Copyright Copyright 2007 Business Objects. All rights reserved. Business Objects owns the following
U.S. patents, which may cover products that are offered and licensed by Business Objects:
5,555,403; 6,247,008; 6,289,352; 6,490,593; 6,578,027; 6,768,986; 6,772,409; 6,831,668;
6,882,998; 7,139,766; 7,181,435; 7,181,440 and 7,194,465. Business Objects and the
Business Objects logo, BusinessObjects, Crystal Reports, Crystal Xcelsius, Crystal
Decisions, Intelligent Question, Desktop Intelligence, Crystal Enterprise, Crystal Analysis,Web Intelligence, RapidMarts, and BusinessQuery are trademarks or registered trademarks
of Business Objects in the United States and/or other countries. All other names mentioned
herein may be trademarks of their respective owners.
Third-party
contributors
Business Objects products in this release may contain redistributions of software licensed
from third-party contributors. Some of these individual components may also be available
under alternative licenses. A partial listing of third-party contributors that have requested or
permitted acknowledgments, as well as required notices, can be found at:
http://www.businessobjects.com/thirdparty
-
8/8/2019 Business Objects Sec
3/100
Configuring Security Guide 1
Contents
Chapter 1 Introduction 5
Conventions used in this guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
About BusinessObjects Planning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Related documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Chapter 2 About Security 11
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Integrated Windows authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Non-Windows authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
About BusinessObjects Planning security components . . . . . . . . . . . . . . . 14
BusinessObjects Planning Login Server . . . . . . . . . . . . . . . . . . . . . . . 14
BusinessObjects Planning Security Configuration tool . . . . . . . . . . . . 14
BusinessObjects Planning ISAPI filter . . . . . . . . . . . . . . . . . . . . . . . . . 15
Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Object-level security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Database security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Chapter 3 Configuring Shared Folder Access 19
Shared folder access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Configuring basic access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Overriding the bootstrap account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Configuring group access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Basic file-level permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Extended file-level permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Chapter 4 Configuring Windows Server 2003 27
Configuring the Application Server environment . . . . . . . . . . . . . . . . . . . . 28
Assigning user rights for service logon . . . . . . . . . . . . . . . . . . . . . . . . 28
Configuring the Application Server service logon . . . . . . . . . . . . . . . . 31
-
8/8/2019 Business Objects Sec
4/100
Contents
2 Configuring Security Guide
Configuring Distributed COM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Configuring the Web Server environment . . . . . . . . . . . . . . . . . . . . . . . . . . 36Configuring Distributed COM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Configuring the BusinessObjects Planning Analyst IIS COM+ application
40
Configuring the BusinessObjects Planning Gateway . . . . . . . . . . . . . . 43
Configuring DCOM machine launch restrictions . . . . . . . . . . . . . . . . . . 50
Granting necessary folder access rights . . . . . . . . . . . . . . . . . . . . . . . . 52
Configuring Internet Information Services (IIS) . . . . . . . . . . . . . . . . . . . 54
Chapter 5 Installing and Configuring BusinessObjects Planning Login Server 57
Hardware requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Installing BusinessObjects Planning Login Server . . . . . . . . . . . . . . . . . . .59
Configuring BusinessObjects Planning Login Server . . . . . . . . . . . . . . . . . 61
Starting the Login Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Adding BusinessObjects Planning Login Server to your authentication scheme
65
Error reporting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Chapter 6 Using the Security Configuration Tool 67
Starting the Security configuration tool . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Editing database access parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Editing the database attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Editing the database account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Editing the database password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Configuring BusinessObjects Planning shared folder access . . . . . . . . . . .74
Configuring login account types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Configuring login confirmation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Enabling identity confirmation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76Configuring the applications that require identity confirmation . . . . . . . 77
Editing application properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .78
Configuring user auto-creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Enabling automatic user registration . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configuring login account types for user registration . . . . . . . . . . . . . . 80
-
8/8/2019 Business Objects Sec
5/100
Contents
Configuring Security Guide 3
Configuring applications that automatically register users . . . . . . . . . . 81
Configuring external authentication servers . . . . . . . . . . . . . . . . . . . . . . . . 83Enabling external authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Configuring server order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Removing servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Testing the server connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Editing the properties of a server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Chapter 7 Installing and Configuring the BusinessObjects Planning ISAPI Filter 87
Installing the BusinessObjects Planning ISAPI filter . . . . . . . . . . . . . . . . . 89
Configuring the BusinessObjects Planning ISAPI filter . . . . . . . . . . . . . . . 89Configuring the BusinessObjects Planning ISAPI extension . . . . . . . . . . . 91
Chapter 8 Configuring Security-Related INI Settings 93
Configuring INI settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Index 97
-
8/8/2019 Business Objects Sec
6/100
Contents
4 Configuring Security Guide
-
8/8/2019 Business Objects Sec
7/100
c h a p t
e r
Introduction
-
8/8/2019 Business Objects Sec
8/100
Introduction
1
6 Configuring Security Guide
This guide contains information about configuring security for your
BusinessObjects Planning site. This guide is intended for administrators who
are configuring authentication and other security policies for their
BusinessObjects Planning site.
This section discusses the following topics:
Conventions used in this guide on page 7
About BusinessObjects Planning on page 7
Related documentation on page 8
-
8/8/2019 Business Objects Sec
9/100
Introduction
Conventions used in this guide 1
Configuring Security Guide 7
Conventions used in this guide
The following table describes the conventions used in this guide.
About BusinessObjects Planning
The BusinessObjects Planning product suite provides Web-enabled, vertical
industry-targeted enterprise analytics software that helps companies
measure, analyze, and predict business performance and profitability.
Organizations leverage the suite for real-time business planning and
forecasting, accelerating mergers and acquisitions, understanding business
performance by customer segment, product, channel and business line, and
delivering performance management information across the enterprise.BusinessObjects Planning is the only suite that is selectively packaged into a
series of applications, each one tailored to support a different segment of the
user community. Moreover, every user leverages a common information
infrastructure. All user applications are driven by the same set of data,
business rules, user rights, and report templates, and any changes are
automatically synchronized across the enterprise.
The product suite includes the following applications:
BusinessObjects Planning Administrator
BusinessObjects Planning Administrator allows nontechnical users to rapidly
and easily configure, deploy, and administer BusinessObjects Planning
applications across multiple sites. From a central siteand leveraging
intuitive graphical interface, drag-and-drop function, and advanced
automation capabilitiesusers can install and synchronize geographically
dispersed sites, assign user access rights, and build and manage multiple
business models.
When you see It indicates
Bold text A name of a user interface item that you should select. Forexample, Right-click a report and select Properties.
Courier text Information you need to type into a data entry field. Forexample, when you see Type AuthorizationServers, youshould type each individual letter key to make up the wordAuthorizationServers.
BOLD SMALL CAPS Specific keys you need to press. For example, when you seePress ENTER, you should press the ENTER key on your
keyboard.
-
8/8/2019 Business Objects Sec
10/100
Introduction
Related documentation1
8 Configuring Security Guide
BusinessObjects Planning Analyst Pro
BusinessObjects Planning Analyst Pro is designed for nontechnical users
who have sophisticated information requirements. A comprehensive range of
formatting features, and drag-and-drop functions allow users to easily create
and maintain reports. In addition, users can quickly build, manage, and
execute scripts that automate complex tasks such as scheduled report
production and distribution.
BusinessObjects Planning Analyst
BusinessObjects Planning Analyst provides secure remote access to real-
time report information anywhere, anytime, through a Web browser. Intelligent
graphic indicators, drill-down toolbars, built-in annotation capabilities,
forecasting tools, and a sophisticated charting interface allow users to easily
view, enter, and edit report data.
BusinessObjects Planning Excel AnalystThe BusinessObjects Planning Excel Analyst allows users to leverage
advanced analytics, superior performance, and automated information
synchronization and distribution capabilities, all from within a familiar
Microsoft Excel environment.
Related documentation
For information about installing and using BusinessObjects Planning, please
refer to the following documentation:
Installing BusinessObjects Planning Sites
This guide describes how to install a BusinessObjects Planning site that uses
either a Microsoft SQL Server or Oracle database.
Installing BusinessObjects Planning Server Components
This guide describes how to install the BusinessObjects Planning Server
components to allow Internet-based use of BusinessObjects Planning. It
provides installation and configuration instructions for the BusinessObjects
Planning Analyst site, the BusinessObjects Planning Gateway,
BusinessObjects Planning Server, and BusinessObjects Planning Scheduler.
Installing BusinessObjects Planning Workstation Applications
This guide describes how to install and configure BusinessObjects Planning
Administrator, BusinessObjects Planning Analyst Pro, and BusinessObjects
Planning Excel Analyst on user workstations.
-
8/8/2019 Business Objects Sec
11/100
Introduction
Related documentation 1
Configuring Security Guide 9
BusinessObjects Planning Server Components Administration Guide
This guide, designed for administrators, describes how to configure and
manage BusinessObjects Planning Servers and BusinessObjects Planning
Gateways. It provides information about: using the BusinessObjects Planning
Site Monitor tool to manage the BusinessObjects Planning enterprise, the
Planning.ini configuration file, load balancing, and other configurable
properties.
Customizing BusinessObjects Planning Installations
This guide describes how to modify configurable properties in
BusinessObjects Planning configuration files or executables to create
customized installations.
Using the BusinessObjects Planning Configuration Assistant
This guide describes how to use the BusinessObjects Planning Configuration
Assistant to configure client applications, create or modify connections toBusinessObjects Planning sites, or create configuration reports to aid in
troubleshooting.
Administrators Guide
This guide describes how to configure, customize, and maintain
BusinessObjects Planning applications on behalf of other users. This guide
includes conceptual and background information on the features and
functions of the applications. It also gives examples of how to use
BusinessObjects Planning Administrator and BusinessObjects Planning
Analyst Pro.
BusinessObjects Planning Reporting Guide
This guide describes how to create, use, and format reports using
BusinessObjects Planning Administrator and BusinessObjects Planning
Analyst Pro. This guide explains reporting-related concepts and provides
step-by-step instructions.
BusinessObjects Planning Analyst User guide
This guide describes how to use BusinessObjects Planning Analyst to
access, view, and analyze BusinessObjects Planning reports in a World Wide
Web environment.
BusinessObjects Planning Excel Analyst User Guide
This guide serves two purposes. It describes how to use the BusinessObjects
Planning Excel Analyst to access, view, and analyze BusinessObjects
Planning reports in an Excel environment. It also describes how to use the
BusinessObjects Planning Excel Analyst to create ad hoc reports that query
-
8/8/2019 Business Objects Sec
12/100
Introduction
Related documentation1
10 Configuring Security Guide
business rules and data in your BusinessObjects Planning environment. This
guide explains reporting-related concepts and provides step-by-step
instructions.
BusinessObjects Planning Workflow GuideThis guide is intended for BusinessObjects Planning users who deal with their
organization's Workflow plans and who are responsible for administering,
submitting, and approving Workflow scenarios. It contains conceptual and
background information on the elements of Workflow in BusinessObjects
Planning and gives examples of how to apply Workflow to an organization's
planning and forecasting process. As Workflow functions are not specific to
one application in BusinessObjects Planning, this guide includes Workflow-
related information for BusinessObjects Planning Administrator,
BusinessObjects Planning Analyst Pro, BusinessObjects Planning Analyst,
and Workflow Console.
Configuring Security Guide
This guide, designed for administrators, describes how to configure and
manage authentication and security for a BusinessObjects Planning site.
Online help
The online help provides step-by-step instructions for using BusinessObjects
Planning applications. The online help also provides reference and
conceptual information. To access online help in BusinessObjects Planning
Administrator or BusinessObjects Planning Analyst Pro, select Help from the
Help menu on the Organizer toolbar, or press F1. To access online help in
BusinessObjects Planning Analyst, BusinessObjects Planning Excel Analyst,or Workflow Console, click the Help button on the application toolbar.
-
8/8/2019 Business Objects Sec
13/100
c h a p t
e r
About Security
-
8/8/2019 Business Objects Sec
14/100
About Security
2
12 Configuring Security Guide
This chapter provides information about security within BusinessObjects
Planning, and covers the following areas:
Authentication on page 13
About BusinessObjects Planning security components on page 14 Authorization on page 16
Object-level security on page 17
Database security on page 18
-
8/8/2019 Business Objects Sec
15/100
About Security
Authentication 2
Configuring Security Guide 13
Authentication
Authentication is the key to the perimeter of any system. It asks the question:
Are you who you say you are? BusinessObjects Planning does not maintaina separate set of passwords, since your enterprise already has a strong, well-
understood, and well-resourced catalog of users and passwords, with a
carefully thought-out set of policies. Instead, BusinessObjects Planning
integrates with it, ensuring consistency of user IDs, password policies, and
password strengths. BusinessObjects Planning supports both integrated
Windows authentication and non-Windows authentication, and supplies a
utility to configure the authentication mechanisms for your site.
Integrated Windows authentication
For enterprises using Microsoft Active Directory, BusinessObjects Planningapplications can take advantage of the single sign-on Windows features and
obtain the users credentials directly from the operating system.
BusinessObjects Planning never needs to handle the password. This applies
to the desktop applications as well as Internet Explorer-based clients.
Non-Windows authentication
For enterprises that do not have Windows security and user management
throughout their organization, BusinessObjects Planning supports plug-in
authentication mechanisms. BusinessObjects Planning applications promptusers for credentials, and route them to an enterprise authentication server
for validation. BusinessObjects Planning supports the following non-Windows
authentication methods:
Novell
LDAP
Third-party ISAPI authentication filters (for example, DAF, AuthentiX)
Custom ISAPI filters (documentation, sample code, and assistance areavailable from BusinessObjects Planning Consulting)
-
8/8/2019 Business Objects Sec
16/100
About Security
About BusinessObjects Planning security components2
14 Configuring Security Guide
About BusinessObjects Planning securitycomponents
BusinessObjects Planning security components allow you to configure
security on your site, as well as to set up non-Windows authentication
sources. BusinessObjects Planning provides the following security
components:
BusinessObjects Planning Login Server
BusinessObjects Planning Security Configuration tool
BusinessObjects Planning ISAPI filter
BusinessObjects Planning Login Server
The BusinessObjects Planning Login Server is a Windows NT service that
handles user authentication against a variety of authentication sources. The
BusinessObjects Planning Login Server can communicate with the following
authentication sources:
Windows domain authentication
Novell NDS trees
HTTP server authentication
For more information on the BusinessObjects Planning Login Server, see
Installing and Configuring BusinessObjects Planning Login Server on
page 57.
Note: If you are only using Windows domain authentication for your site, you
do not need to install a BusinessObjects Planning Login Server.
BusinessObjects Planning Security Configuration tool
The BusinessObjects Planning Security Configuration tool allows you to
configure multiple aspects of security for your BusinessObjects Planning site.
The tool allows you to perform the following actions:
Edit the database access parametersThis feature allows you to modify
the Planning.ini file to point to a new database if the BusinessObjectsPlanning sites database has changed.
Configure the shared folder access accountBy default,BusinessObjects Planning uses Windows authentication to authenticate
its users. However, there may be some BusinessObjects Planning users
-
8/8/2019 Business Objects Sec
17/100
About Security
About BusinessObjects Planning security components 2
Configuring Security Guide 15
who are not working from a Windows domain. This feature lets you
specify a dedicated Windows domain account for all unauthenticated
users to use.
Configure login account typesBy default, BusinessObjects Planninguses Windows authentication. This feature allows you to use other forms
of authentication to authenticate your users.
Configure login confirmationThis feature allows you to specify whetherusers must always enter their username and password when trying to
gain access to BusinessObjects Planning.
Configure user auto-creationThis feature allows you to specify whetheruser IDs are automatically created in BusinessObjects Planning upon
successful login.
Configure external authentication serversThis feature allows you tospecify which BusinessObjects Planning Login Servers are used to
authenticate user logins.
For more information on the BusinessObjects Planning Security Configuration
tool, see Using the Security Configuration Tool on page 67.
BusinessObjects Planning ISAPI filter
The BusinessObjects Planning ISAPI filter is a configurable filter that can be
installed on your BusinessObjects Planning web site to handle user
authentication against a variety of authentication sources. The
BusinessObjects Planning ISAPI filter can communicate with the following
authentication sources: Windows domain authentication
Novell NDS trees
LDAP repositories
For more information on the BusinessObjects Planning ISAPI filter, see
Installing and Configuring the BusinessObjects Planning ISAPI Filter on
page 87.
Note: If you are only using Windows domain authentication for your site, you
do not need to install a BusinessObjects Planning Login Server.
The following diagram displays a sample site that uses both BusinessObjectsPlanning Login Server and BusinessObjects Planning ISAPI filter with LDAP
authentication to authenticate its users. For web clients, the login request is
sent from the BusinessObjects Planning ISAPI filter to the LDAP repository. If
the login is successful, the request then proceeds to the BusinessObjects
Planning Application Server and ultimately to the BusinessObjects Planning
-
8/8/2019 Business Objects Sec
18/100
About Security
Authorization2
16 Configuring Security Guide
site. For thick clients, the login request is directed through a BusinessObjects
Planning Login Server to the LDAP repository. If the login is successful, the
thick clients then directly connect to the BusinessObjects Planning site.
Authorization
Authorization asks the question: What are you allowed to see or do? All
BusinessObjects Planning objects and high-level operations are subject to
authorization controls that limit which users may view, execute, modify,
annotate, create, or delete objects.
To simplify administration, privileges may be granted to object hierarchies that
are inherited by all members of the hierarchies. Also, administrators may
define user groups and grant privileges to groups rather than to individual
users.
BusinessObjects Planning supports controls to the granting of privileges.
Users may only grant privileges that they have, and have been entitled to
grant.
LDAP
Repository
Laptop
Laptop
NetworkL
oadBalancer
Cartesis Planning Login Server
Web servers with
Cartesis Planning
ISAPI filter
Cartesis
Planning
Application
Server
Cartesis Planning
File Server/
Database
Workstations
Cartesis
Planning
Analyst Pro
Cartesis
Planning
Analyst Pro
Cartesis
Planning
Analyst Pro
CartesisPlanning
Analyst Pro
-
8/8/2019 Business Objects Sec
19/100
About Security
Object-level security 2
Configuring Security Guide 17
User impersonation is also supported. Users who are entitled to grant
impersonation rights may allow other users to impersonate them. During
impersonation, the user has the same access rights as the user being
impersonated, but the audit trail shows both the real user and the user being
impersonated.
When a BusinessObjects Planning site is installed, the login domain and
name of the Core user must be supplied. This user has full privileges to the
BusinessObjects Planning site. The site installation also defines the system
user group, Site Administrators, with a single member, the Core user. Site
Administrators and the Core user have virtually the same, universal access.
Site Administrators have less control only on areas concerning remote sites.
Beyond these two system-defined roles, BusinessObjects Planning roles are
fully user-defined. The Core user grants selective privileges and delegation
privileges to other users or user groups.
The Core user login may be disabled after the initial configuration anddelegation. Impersonation privileges for the Core user may be selectively
granted if desired.
BusinessObjects Planning supports user-defined groups of users and nested
groups. There are also system-defined groups such as Everyone, Users at
Site , and groups built for specific functions, such as report creators.
These groups may also be included in user-defined groups. A user can be
part of multiple groups as required.
For information on creating groups, refer to the Administrators Guide.
Object-level security
Security rights are assigned by granting access rights to view and to modify
data for certain business model components. Assigning user rights to
scenarios makes it very easy and flexible to control the data a user can view
and/or modify. For example, a user can be granted rights to view only the
scenarios that contain official actuals for a given year while granting other
users rights to view and modify scenarios that contain versions of the
business plan.
Access to reports can be assigned on an individual basis or to a group of
reports, by granting rights on reporting folders. If rights are assigned on a
folder, all reports in that folder inherit the same rights.
Within BusinessObjects Planning security, the following objects can be
administered with the following rights:
Data Sets (such as, Plan but not Actuals, read/write, consolidate, and soforth)
-
8/8/2019 Business Objects Sec
20/100
About Security
Database security2
18 Configuring Security Guide
Reports (control, modify, run)
Business Models (view, control, modify)
Scripts (control, modify, run)
Spreadsheets (control, modify) Rates (modify, view)
Business Unit Dimensions (view, control, modify)
For information on assigning object-level rights, refer to the Administrators
Guide.
Database security
BusinessObjects Planning users never need to know the database password
to use the application. When a BusinessObjects Planning site is installed, thedatabase administrator must provide the name and password of a user who
owns the sites database. This database user ID can already exist, or it can be
created by the installation program. Once created, this database user ID is
used by all BusinessObjects Planning applications to gain access to the
database. The users name and encrypted password are stored in the shared
Planning.ini file for all applications to retrieve, but because the password is
encrypted in the file, it is not readable by your users.
-
8/8/2019 Business Objects Sec
21/100
c h a p t
e r
Configuring Shared Folder
Access
-
8/8/2019 Business Objects Sec
22/100
Configuring Shared Folder Access
3
20 Configuring Security Guide
This chapter provides information about the BusinessObjects Planning
shared folder and the possible types of access that can be granted to it.
Specifically, this chapter provides information about:
Shared folder access on page 21
Configuring basic access on page 21
Configuring group access on page 22
-
8/8/2019 Business Objects Sec
23/100
Configuring Shared Folder Access
Shared folder access 3
Configuring Security Guide 21
Shared folder access
The BusinessObjects Planning shared folder contains shared configuration
files and files for BusinessObjects Planning objects such as business models,scripts, reports, and templates. All BusinessObjects Planning applications,
beyond a few specialized Windows services and thin clients, require access
to the BusinessObjects Planning shared folder at a site. BusinessObjects
Planning allows for two models of shared folder authorization:
BasicUsed for those sites where non-Windows authentication is in use.
GroupUsed for those sites where an administrator wants to specifyindividually which Windows users and user groups are allowed to see the
contents of the shared folder and the shared Planning.ini file.
The mode of access that you choose for your site is dependent on the
security policies within your organization.The order in which BusinessObjects Planning authenticates users is as
follows:
1. BusinessObjects Planning attempts to gain access to the config and
public folders of the BusinessObjects Planning shared folder using the
users account.
If the user has valid credentials for any of the configured authentication
types, BusinessObjects Planning validates the user. See Configuring
login account types on page 75 for more information.
2. For those users who dont have valid credentials, BusinessObjects
Planning uses the shared account option to access the share.
Configuring basic access
Basic access is a simple way to limit access to the BusinessObjects Planning
shared folder. In basic access, all BusinessObjects Planning applications use
the same shared folder account to gain access to the site. When a request
comes in from a BusinessObjects Planning application, the application
attempts to read the shared folder using the credentials of the user. When this
fails, the application defaults to the bootstrap account. This account reads the
Planning.ini file to get the SharedDirectory account and password. Once theSharedDirectory account is known, this account is then used to view the
contents of the BusinessObjects Planning shared folder.
Configuring basic access requires the following steps:
1. Remove all user and group rights from the BusinessObjects Planning
shared folder.
-
8/8/2019 Business Objects Sec
24/100
Configuring Shared Folder Access
Configuring group access3
22 Configuring Security Guide
2. Create an account on the shared folder machine. This account is used as
the dedicated account by all BusinessObjects Planning applications
when gaining access to the shared folder.
3. Grant view and modify rights to the shared folder for the shared account.
4. Create the bootstrap account on the shared folder machine. This account
is a default account for initial shared file access. (Contact your
BusinessObjects Planning Consultant for information about the default
username and password for this account.)
5. Grant read access on the Planning.ini file to the bootstrap account.
6. Use the BusinessObjects Planning Security Configuration tool to
configure the protected access to the shared folder and to set up the
shared account. For information on how to do this, see Configuring
BusinessObjects Planning shared folder access on page 74.
Overriding the bootstrap account
BusinessObjects Planning provides an option for a local override on the
bootstrap account. This override may be either in the form of environment
variables (which take precedence), or as a set of registry entries. The registry
entries must appear in the same location as the existing BusinessObjects
Planning settings.
Registry Settings:
BootstrapAccount="[domain name\]account name"BootstrapPassword="" - encrypted using
standard BusinessObjects Planning encryption
Environment variables:
CTP_BootstrapAccountCTP_BootstrapPassword
Warning: If you choose to override the bootstrap account, then all
BusinessObjects Planning applications must have registry settings or
environment variables that set the bootstrap account, otherwise the
applications cannot open the Planning.ini file and connect to the site.
Configuring group accessGroup access is a more detailed way to control access to the
BusinessObjects Planning shared folder. With group access, an administrator
defines user groups and assigns folder-level permissions to these user
groups. This ensures that only those users who are assigned to the correct
group have access to the shared folder.
-
8/8/2019 Business Objects Sec
25/100
Configuring Shared Folder Access
Configuring group access 3
Configuring Security Guide 23
Configuring group access to the BusinessObjects Planning shared folder
requires the following steps:
1. Define the local groups that will have rights to access the shared folder.
2. Create the local groups and add users to the groups.3. Share the BusinessObjects Planning folder so that it is visible over the
network.
4. Grant file-level permissions to the shared folders subfolders.
Note: You must ensure that the shared folder is properly configured so that
users and user groups can gain access to the shared folder over the network.
Note: Before a BusinessObjects Planning application can be installed on a
client machine, you as the administrator must have rights to the shared
installation folder. In addition, the primary user of the client machine you are
installing on must be a member of one of the configured groups.
Basic file-level permissions
You can define any set of groups to access the shared folder, provided the
access structure is created. The standard way to allow access to the
BusinessObjects Planning shared folder is to create the following groups:
PlanningFinanceFor BusinessObjects Planning application users
PlanningAdministratorsFor BusinessObjects Planning applicationadministrators
Note: The groups listed above are examples that show how to use basic file-
level permissions for your organization. The actual groups and folder rights
you use depend on the needs of your organization.
In this basic group environment, the following access rights should be
granted:
Group Permissions
Shared Folder
file or subfolder
PlanningFinance PlanningAdministrators
a Read, Write Read, Write
\Config Read Read, Write
\ Read Read, Write
\Public Write permissions for all users on all subfolders, since theycontain publicly accessible objects such as business models,scripts, and reports
-
8/8/2019 Business Objects Sec
26/100
Configuring Shared Folder Access
Configuring group access3
24 Configuring Security Guide
Note: is the root level of the BusinessObjects Planning sites shared
folder.Note: is the path to the folder that contains installation files for
BusinessObjects Planning applications. It is recommended that you create
this folder and copy the BusinessObjects Planning installation files from the
CD to this central location.
Extended file-level permissions
You may prefer to apply more exclusive permissions to your shared folder
and its subfolders. Instead of creating just the PlanningFinance and
PlanningAdministrators groups, you could create four groups:
PlanningFinanceApplication users who only view information
PlanningAnalystsAnalysts who create reports
PlanningModellersModel writers who create models or write scripts
PlanningAdministratorsAdministrators
Note: The groups listed above are examples that show how to use extended
file-level permissions for your organization. The actual groups and folder
rights you use depend on the needs of your organization.
In this extended group environment, the following access rights should be
granted:
a. All users need read and write access to the root of the shared folder in order towrite to any log files in this folder.
Group Permissions
Shared Folder file
or subfolder
Planning
Finance
Planning
Analysts
Planning
Modellers
Planning
Administrators
a Read, Write Read, Write Read, Write Read, Write
Logs Read, Write Read, Write Read, Write Read, Write
Config Read Read Read Read, Write
Read Read Read Read, Write
\Public\Reports Read Read, Write Read, Write Read, Write
\Public\Favorites Read Read, Write Read, Write Read, Write
\Public\Model Read Read Read, Write Read, Write
\Public\Scripts Read Read Read, Write Read, Write
a. All users need read and write access to the root of the shared folder in order towrite to any log files in this folder.
-
8/8/2019 Business Objects Sec
27/100
Configuring Shared Folder Access
Configuring group access 3
Configuring Security Guide 25
Note: is the root level of the BusinessObjects Planning sites shared
folder.
Note: is the path to the folder that contains installation files for
BusinessObjects Planning applications. It is recommended that you create
this folder and copy the BusinessObjects Planning installation files from the
CD to this central location.
-
8/8/2019 Business Objects Sec
28/100
Configuring Shared Folder Access
Configuring group access3
26 Configuring Security Guide
-
8/8/2019 Business Objects Sec
29/100
c h a p t
e r
Configuring Windows Server
2003
-
8/8/2019 Business Objects Sec
30/100
Configuring Windows Server 2003
Configuring the Application Server environment4
28 Configuring Security Guide
If you are using Windows Server 2003 as a platform for any of the
BusinessObjects Planning server components, including the BusinessObjects
Planning Application Server, the BusinessObjects Planning Web site, and the
BusinessObjects Planning Gateway, you must customize certain security
settings in Windows Server 2003 to allow for the successful operation ofBusinessObjects Planning.
You should perform the configuration tasks outlined in this chapter after
completing the installation of the server components. If you have installed
different server components on separate machines, each machine must
possess the proper security settings. For more information on installing
BusinessObjects Planning server components, see the Installing Server
Components guide.
This section provides information on the following topics:
Configuring the Application Server environment on page 28
Configuring the Web Server environment on page 36
Configuring the Application Serverenvironment
If you installed the BusinessObjects Planning Application Server on the
Windows Sever 2003 platform, you should perform the following configuration
tasks on the machine that is hosting the Application Server:
Assigning user rights for service logon on page 28 Configuring the Application Server service logon on page 31
Configuring Distributed COM on page 32
Assigning user rights for service logon
The BusinessObjects Planning Application Server runs as a Windows
service. You must ensure that the user account under which the Application
Server service will run is a registered BusinessObjects Planning user account
and has the appropriate rights to register Windows services.
To assign user rights for service logon:
1. Click the Start button and select Run from the menu.
2. In the Run dialog box, type secpol.msc and click OK.
3. In the left pane of the Local Security Settings manager, expand the Local
Policies folder and select User Rights Assignment.
-
8/8/2019 Business Objects Sec
31/100
Configuring Windows Server 2003
Configuring the Application Server environment 4
Configuring Security Guide 29
4. In the right pane, double-click the Log on as a service policy.
5. On the Local Security Setting page, ensure that the user account under
which the Application Server service will run appears in the display box. If
this user account appears, go directly to step 9. If it does not, continue to
step 6.
-
8/8/2019 Business Objects Sec
32/100
Configuring Windows Server 2003
Configuring the Application Server environment4
30 Configuring Security Guide
Note: The user account under which the Application Server service will
run must be a registered BusinessObjects Planning user account.
6. Click Add User or Group.
7. In the Enter the object names to select text box, type the user account
under which the Application Server service will run. (You can click Check
Names to validate the account information that you have entered.)
8. Click OK.
9. In the Log on as a service Properties dialog box, click OK.
-
8/8/2019 Business Objects Sec
33/100
Configuring Windows Server 2003
Configuring the Application Server environment 4
Configuring Security Guide 31
Configuring the Application Server service logon
When the BusinessObjects Planning Application Server service is started, it
logs on to a registered BusinessObjects Planning user account to access all
the necessary resources and objects on the operating system. You mustensure that the service logs on using the proper user account. This user
account is the same account that you identified in Assigning user rights for
service logon on page 28.
To configure the Application Server service logon:
1. From the Windows Administrative Tools menu, select Services.
2. In the Services manager, right-click BusinessObjects Planning Server
and select Properties from the menu.
3. In the BusinessObjects Planning Server Properties (Local Computer)
dialog box, select the Log On tab.
4. On the Log On page, select the This account option and enter the logon
information of the user account under which the Application Server
service will run.
-
8/8/2019 Business Objects Sec
34/100
Configuring Windows Server 2003
Configuring the Application Server environment4
32 Configuring Security Guide
Note: The user account under which the Application Server service will
run must be a registered BusinessObjects Planning user account.
5. Click OK.
Configuring Distributed COM
You must customize the security settings for Distributed COM so that the
BusinessObjects Planning Application Server can properly communicate with
the BusinessObjects Planning Gateway.
To configure Distributed COM:
1. From the Windows Administrative Tools menu, select Component
Services.
2. In the left pane of the Component Services manager, expand
Component Services and Computers.
-
8/8/2019 Business Objects Sec
35/100
Configuring Windows Server 2003
Configuring the Application Server environment 4
Configuring Security Guide 33
3. Right-click My Computerand select Properties from the menu.
4. In the My Computer Properties dialog box, select the Default Properties
tab.
-
8/8/2019 Business Objects Sec
36/100
Configuring Windows Server 2003
Configuring the Application Server environment4
34 Configuring Security Guide
5. Ensure that the Enable Distributed COM on this computercheck box
is selected.
6. Ensure that the Default Authentication Level is set to Connect.
Note: If you installed the BusinessObjects Planning Application Server
and the BusinessObjects Planning Web server components on a single
machine, you should set the Default Authentication Level to None.
7. Ensure that the Default Impersonation Level is set to Identify.
8. Select the COM Security tab.
9. On the COM Security page, select Edit Default under Access
Permissions.
10. In the Access Permission dialog box, click Add.
11. In the Enter the object names to select text box, type Anonymous Logon.
(You can click Check Names to validate the account information that you
have entered.)
12. Click OK.
13. Under Permissions for ANONYMOUS LOGON, grant the following rights:
Allow Local Access
-
8/8/2019 Business Objects Sec
37/100
Configuring Windows Server 2003
Configuring the Application Server environment 4
Configuring Security Guide 35
Allow Remote Access
14. Repeat steps 10 to 13 for the following objects:
The Everyone group
The user account under which the CtpWebGate DCOM object willrun (for more information about the CtpWebGate DCOM object, see
Configuring the BusinessObjects Planning Gateway on page 43).
15. Click OK.
16. On the COM Security page, select Edit Default under Launch and
Activation Permissions.
17. In the Launch Permission dialog box, click Add.
18. In the Enter the object names to select text box, type Everyone. (You can
click Check Names to validate the account information that you have
entered.)
19. Click OK.
20. Under Permissions for Everyone, grant the following rights:
Allow Local Launch
Allow Remote Launch
Allow Local Activation
-
8/8/2019 Business Objects Sec
38/100
Configuring Windows Server 2003
Configuring the Web Server environment4
36 Configuring Security Guide
Allow Remote Activation
21. Repeat steps 17 to 20 for the following objects:
The machines Administrators group
The user account under which the CtpWebGate DCOM object willrun (for more information about the CtpWebGate DCOM object, see
Configuring the BusinessObjects Planning Gateway on page 43).
22. In the Launch Permission dialog box, click OK.
23. In the My Computer Properties dialog box, click OK.
Configuring the Web Server environment
If you installed the BusinessObjects Planning Gateway or BusinessObjects
Planning Web site on the Windows Sever 2003 platform, you should perform
the following configuration tasks on the machine(s) hosting these server
components:
Configuring Distributed COM on page 37 Configuring the BusinessObjects Planning Analyst IIS COM+
application on page 40
Configuring the BusinessObjects Planning Gateway on page 43
Configuring DCOM machine launch restrictions on page 50
-
8/8/2019 Business Objects Sec
39/100
Configuring Windows Server 2003
Configuring the Web Server environment 4
Configuring Security Guide 37
Granting necessary folder access rights on page 52
Configuring Internet Information Services (IIS) on page 54
Note: After making any configuration changes to the BusinessObjects
Planning Web site or BusinessObjects Planning Gateway, you should restartIIS.
Configuring Distributed COM
You must customize the security settings for Distributed COM on the machine
acting as the Web Server so it can properly communicate with the
BusinessObjects Planning Application Server.
To configure Distributed COM:
1. From the Windows Administrative Tools menu, select Component
Services.2. In the left pane of the Component Services manager, expand
Component Services and Computers.
3. Right-click My Computerand select Properties from the menu.
-
8/8/2019 Business Objects Sec
40/100
Configuring Windows Server 2003
Configuring the Web Server environment4
38 Configuring Security Guide
4. In the My Computer Properties dialog box, select the Default Properties
tab.
5. Ensure that the Enable Distributed COM on this computercheck box
is selected.
6. Ensure that the Default Authentication Level is set to None.
7. Ensure that the Default Impersonation Level is set to Identify.
8. Select the COM Security tab.
9. On the COM Security page, select Edit Default under Access
Permissions.
10. In the Access Permission dialog box, ensure that SELF and SYSTEM are
present in the Group or user names list and that they are granted the
following rights:
Allow Local Access
-
8/8/2019 Business Objects Sec
41/100
Configuring Windows Server 2003
Configuring the Web Server environment 4
Configuring Security Guide 39
Allow Remote Access
11. Click OK.
12. On the COM Security page, select Edit Default under Launch and
Activation Permissions.
13. In the Launch Permission dialog box, ensure that the machines
Administrators group, INTERACTIVE, and SYSTEM are present in the
Group or user names list and that they are granted the following rights:
Allow Local Launch
Allow Remote Launch
Allow Local Activation
-
8/8/2019 Business Objects Sec
42/100
Configuring Windows Server 2003
Configuring the Web Server environment4
40 Configuring Security Guide
Allow Remote Activation
14. In the Launch Permission dialog box, click OK.
15. In the My Computer Properties dialog box, click OK.
Configuring the BusinessObjects Planning Analyst IIS
COM+ applicationYou must configure the security settings of the COM+ application that was
installed for the BusinessObjects Planning Analyst site.
To configure the BusinessObjects Planning Analyst IIS COM+application:
1. From the Windows Administrative Tools menu, select Component
Services.
2. In the left pane of the Component Services manager, expand
Component Services and Computers.
3. Expand My Computerand COM+ Applications.
-
8/8/2019 Business Objects Sec
43/100
Configuring Windows Server 2003
Configuring the Web Server environment 4
Configuring Security Guide 41
4. Right-click the IIS entry for the BusinessObjects Planning Analyst site
(typically IIS-{Default Web Site/Root/BusinessObjectsPlanningWeb})
and select Properties from the menu.
5. In the IIS Properties dialog box, select the Security tab.
-
8/8/2019 Business Objects Sec
44/100
Configuring Windows Server 2003
Configuring the Web Server environment4
42 Configuring Security Guide
6. On the Security page, ensure that the Enforce access checks for this
application check box is cleared.
7. Ensure that the Perform access checks only at the process level
option is selected.
8. Ensure that the Authentication Level for Calls is set to Packet.
9. Ensure that the Impersonation Level is set to Impersonate.
10. Select the Identify tab.
-
8/8/2019 Business Objects Sec
45/100
Configuring Windows Server 2003
Configuring the Web Server environment 4
Configuring Security Guide 43
11. On the Identify page, ensure that the This useroption is selected and
that the IWAM (Internet Web Application Manager) user account
information is displayed. The IWAM account must be the account under
which this COM+ application will run.
12. Click OK.
Configuring the BusinessObjects Planning Gateway
The BusinessObjects Planning Gateway is configured through the
CtpWebGate DCOM object. You must configure the CtpWebGate DCOM
object of the machine on which the BusinessObjects Planning Gateway was
installed.
To configure the BusinessObjects Planning Gateway:
1. From the Windows Administrative Tools menu, select Component
Services.
2. In the left pane of the Component Services manager, expandComponent Services and Computers.
3. Expand My Computerand DCOM Config.
-
8/8/2019 Business Objects Sec
46/100
Configuring Windows Server 2003
Configuring the Web Server environment4
44 Configuring Security Guide
4. Right-click CtpWebGate and select Properties from the menu.
-
8/8/2019 Business Objects Sec
47/100
Configuring Windows Server 2003
Configuring the Web Server environment 4
Configuring Security Guide 45
5. On the General page of the CtpWebGate Properties dialog box, select
None from the Authentication Level list.
6. Select the Location tab.
-
8/8/2019 Business Objects Sec
48/100
Configuring Windows Server 2003
Configuring the Web Server environment4
46 Configuring Security Guide
7. Ensure that the Run application on this computercheck box is
selected and all other check boxes are cleared.
8. Select the Security tab.
9. Under Launch and Activation Permissions, select the Customize option
and click Edit.
10. In the Launch Permission dialog box, click Add.11. In the Enter the object names to select text box, type Everyone. (You can
click Check Names to validate the account information that you have
entered.)
12. Click OK.
13. Under Permissions for Everyone, grant the following rights:
Allow Local Launch
Allow Remote Launch
Allow Local Activation
-
8/8/2019 Business Objects Sec
49/100
Configuring Windows Server 2003
Configuring the Web Server environment 4
Configuring Security Guide 47
Allow Remote Activation
14. Click OK.
15. Under Access Permissions, select the Customize option and click Edit.
16. In the Access Permission dialog box, ensure that SELF and SYSTEM are
present in the Group or user names list and that they are granted the
following rights:
Allow Local Access
-
8/8/2019 Business Objects Sec
50/100
Configuring Windows Server 2003
Configuring the Web Server environment4
48 Configuring Security Guide
Allow Remote Access
17. Click OK.
18. Under Configuration Permissions, select the Customize option and click
Edit.
19. In the Change Configuration Permission dialog box, ensure that the
machines Administrators group, Power Users group, and Users group,
as well as CREATOR OWNER and SYSTEM, are present in the Group or
user names list and that they are granted the following rights:
Allow Full Control
Allow Read
p
-
8/8/2019 Business Objects Sec
51/100
Configuring Windows Server 2003
Configuring the Web Server environment 4
Configuring Security Guide 49
Allow Special Permissions
20. Click OK.
21. Select the Identify tab.
-
8/8/2019 Business Objects Sec
52/100
Configuring Windows Server 2003
Configuring the Web Server environment4
50 Configuring Security Guide
22. On the Identify page, select the This useroption and enter the account
information of the user under which the BusinessObjects Planning
Gateway will run. This user account is the same account that you
identified in Configuring Distributed COM on page 32.
23. Click OK.
Configuring DCOM machine launch restrictions
To allow for successful authentication between machines with different
domains, you must change the DCOM launch permissions on the machine(s)
hosting the BusinessObjects Planning Gateway and BusinessObjects
Planning Web site to include the ANONYMOUS LOGIN object.
To configure DCOM machine launch restrictions:
1. Click the Start button and select Run from the menu.
2. In the Run dialog box, type secpol.msc and click OK.
3. In the left pane of the Local Security Settings manager, expand the LocalPolicies folder and select Security Options.
-
8/8/2019 Business Objects Sec
53/100
Configuring Windows Server 2003
Configuring the Web Server environment 4
Configuring Security Guide 51
4. In the right pane, double-click the DCOM: Machine Launch
Restrictions in Security Descriptor Definition Language (SDDL)
syntax policy.
5. On the Template Security Policy Setting page, click Edit Security.
6. In the Launch Permission dialog box, click Add.
7. In the Enter the object names to select text box, type ANONYMOUS LOGON.
(You can click Check Names to validate the account information that you
have entered.)
8. Click OK.
9. Under Permissions for ANONYMOUS LOGON, grant the following rights:
Allow Local Launch
Allow Remote Launch
Allow Local Activation
-
8/8/2019 Business Objects Sec
54/100
Configuring Windows Server 2003
Configuring the Web Server environment4
52 Configuring Security Guide
Allow Remote Activation
10. Click OK.
11. On the Template Security Policy Setting page, click OK.
Granting necessary folder access rights
The worker account that performs all requests for BusinessObjects Planning
is the IWAM_MachineName user. For the BusinessObjects Planning Gateway
to function properly, the IWAM user must have full rights to the following
folders:
The directory where the BusinessObjects Planning Gateway wasinstalled (default installation is
c:\BusinessObjects\Planning\Programs\WebServer)
c:\Windows\system32
-
8/8/2019 Business Objects Sec
55/100
Configuring Windows Server 2003
Configuring the Web Server environment 4
Configuring Security Guide 53
To grant necessary folder access rights:
1. In Windows Explorer, right-click on the WebServers folder and select
Sharing and Security from the menu.
2. In the WebServer Properties dialog box, select the Security tab.
3. On the Security page, click Add.
4. In the Enter the object names to select text box, enter the
IWAM_MachineName account name. This IWAM account is the same
account that you identified in Configuring the BusinessObjects Planning
Analyst IIS COM+ application on page 40. (You can click Check Names
to validate the account information that you have entered.)
5. Click OK.
-
8/8/2019 Business Objects Sec
56/100
Configuring Windows Server 2003
Configuring the Web Server environment4
54 Configuring Security Guide
6. Under Permissions, grant the Allow Full Control right.
7. Click OK.
8. Repeat steps 1-7 for the c:\Windows\system32 folder.
Configuring Internet Information Services (IIS)By default, IIS recycles worker processes every 120 minutes. This action
causes the BusinessObjects Planning Gateway service to restart after 120
minutes of idle time. It is highly recommended that you disable this default
setting. It is also recommended that you disable the idle timeout setting.
To configure Internet Information Services:
1. From the Windows Administrative Tools menu, select Internet
Information Services (IIS) Manager.
2. In the Internet Information Services (IIS) Manager, expand the
Applications Pools folder.
-
8/8/2019 Business Objects Sec
57/100
Configuring Windows Server 2003
Configuring the Web Server environment 4
Configuring Security Guide 55
3. Right-click DefaultAppPool and select Properties from the menu.
4. In the DefaultAppPool Properties dialog box, in the Recycling tab, clear
the Recycle worker processes (in minutes) checkbox.
-
8/8/2019 Business Objects Sec
58/100
Configuring Windows Server 2003
Configuring the Web Server environment4
56 Configuring Security Guide
5. In the Performance tab, clear the Idle timeout checkbox.
6. Click OK.
-
8/8/2019 Business Objects Sec
59/100
c h a p t
e r
Installing and Configuring
BusinessObjects Planning
Login Server
-
8/8/2019 Business Objects Sec
60/100
Installing and Configuring BusinessObjects Planning Login Server
5
58 Configuring Security Guide
The BusinessObjects Planning Login Server is a Windows NT service that
handles user authentication against a variety of authentication sources. The
BusinessObjects Planning Login Server can communicate with the following
authentication sources:
Windows domain authentication
Novell NDS trees
HTTP server authentication
This chapter provides the information necessary to install and configure
BusinessObjects Planning Login Server. Specifically, this chapter provides
information about:
Hardware requirements on page 59
Installing BusinessObjects Planning Login Server on page 59
Configuring BusinessObjects Planning Login Server on page 61
Starting the Login Server on page 64
Adding BusinessObjects Planning Login Server to your authenticationscheme on page 65
Error reporting on page 65
-
8/8/2019 Business Objects Sec
61/100
Installing and Configuring BusinessObjects Planning Login Server
Hardware requirements 5
Configuring Security Guide 59
Hardware requirements
The following table lists the minimum hardware requirements for
BusinessObjects Planning Login Server.
Installing BusinessObjects Planning LoginServer
BusinessObjects Planning Login Server is implemented as a simple Windows
service that runs using the local system account and does not have any
shared file or database access. This section explains how to install
BusinessObjects Planning Login Server.
To install BusinessObjects Planning Login Server:
1. Expand the LoginServerfolder on the installation CD or network share
and run BusinessObjectsPlanningLoginServer.msi.
2. In the BusinessObjects Planning Installation Wizard welcome dialog box,
click Next.3. In the Destination Folder dialog box, accept the default installation path,
or click Change to specify the path to where you want the
BusinessObjects Planning Login Server to be installed.
Requirement Recommended minimum
CPU Pentium III - 1.0 GHz
RAM 256 MB
Available hard drive space 100 MB
Operating System Windows 2000 Workstation or Server
Windows Server 2003
Network Bandwidth Server to server 100 MB/sec
Other A dedicated local user account on the BusinessObjectsPlanning Login Server machine. This account is used tostart the BusinessObjects Planning Login Server service.
If you are using Novell authentication, you must have aNovell client installed on the BusinessObjects PlanningLogin Server machine.
-
8/8/2019 Business Objects Sec
62/100
Installing and Configuring BusinessObjects Planning Login Server
Installing BusinessObjects Planning Login Server5
60 Configuring Security Guide
Note: You cannot change the installation path if you already have a
BusinessObjects Planning application installed on the machine.
4. Click Next.
5. In the Ready to Install the Program dialog box, click Install.
6. In the Folder locations dialog box, in the Path to the local folder text box,
type the path to your local folder or click Browse to select a location.
7. Select Skip the verification of directories if you dont want the installer
to verify that these folder exist.
-
8/8/2019 Business Objects Sec
63/100
Installing and Configuring BusinessObjects Planning Login Server
Configuring BusinessObjects Planning Login Server 5
Configuring Security Guide 61
Warning: If these folders dont exist, the installer will not create them for
you.
8. Click Next.
9. Click Finish.
Configuring BusinessObjects PlanningLogin Server
BusinessObjects Planning Login Server requires that a minimal set of user
credentials be passed to it in order to verify a user. The minimal set of user
credentials is a user name and password. User domain (for Windows
authentication) or context and tree (Novell authentication) are optional for
different authentication methods. The credentials are encrypted before beingsent to the server. BusinessObjects Planning Login Server does not cache
the credentials and removes them from memory when the authentication
process is complete.
After installing the BusinessObjects Planning Login Server, you must
configure settings in the [Login] section in the local Planning.ini file to define
the authentication sources you want to use. BusinessObjects Planning Login
Server supports the following types of authentication:
Windows authenticationBusinessObjects Planning Login Server is ableto verify Windows user credentials against:
Windows domains with which the machine can communicate. Theauthentication request is redirected to the corresponding domaincontroller.
Its own local machine domain.
Novell authenticationBusinessObjects Planning Login Server verifiesNovell user credentials against those NDS trees that are accessible from
the machine.
HTTP-based authenticationBusinessObjects Planning Login Servercommunicates with an HTTP server using the URL and HTTP method
specified in the local configuration file. The authentication request follows
standard HTTP protocol and it is up to the HTTP server how to handle it.When configuring BusinessObjects Planning Login Server, you must set the
following parameters:
ActiveAuthenticationModules
If you are using HTTP authentication, you must also set the following
parameters:
-
8/8/2019 Business Objects Sec
64/100
Installing and Configuring BusinessObjects Planning Login Server
Configuring BusinessObjects Planning Login Server5
62 Configuring Security Guide
HTTPPath
HTTPLoginNamePattern
HTTPRequestTimeout
HTTPMethodWarning: All changes to the configuration file require a restart of the
BusinessObjects Planning Login Server service for the changes to take effect.
ActiveAuthenticationModules
HTTPPath
Purpose Specifies a comma-separated list of names of authenticationmodules in the order that they should be queried to verify ausers credentials. If any module succeeds in verifying thecredentials, the user is verified and the remaining modulesare not queried.
Example:ActiveAuthenticationModules=NT,HTTP
Range ofValues
The supported authentication modules are:
NT authentication against the local machine andWindows domains (default)
NDS authentication against Novell eDirectory (NDS)
HTTP authentication against an HTTP server
Purpose Specifies the URL to use to authenticate BusinessObjects
Planning users. There is no default value. The setting mustbe defined and have a valid value if the HTTP module is listedas one of the active authentication modules.
Example:HTTPPath=http://authServer1
-
8/8/2019 Business Objects Sec
65/100
Installing and Configuring BusinessObjects Planning Login Server
Configuring BusinessObjects Planning Login Server 5
Configuring Security Guide 63
HTTPLoginNamePattern
HTTPRequestTimeout
HTTPMethod
Purpose Specifies the pattern that a users credentials (name andoptional domain) should follow when sent to the HTTPserver. The pattern should satisfy the requirements of thespecific HTTP server configuration.
The default value is user@domain. However, most IISinstallations and configurations may require thatinformation be sent as domain\user.
If you are using the BusinessObjects Planning ISAPI filterto provide your HTTP authentication, this pattern must bethe same as the UserNamePattern used to configure theISAPI filter. For more information on this setting, seeConfiguring the BusinessObjects Planning ISAPI filter onpage 89.
Example: HTTPLoginNamePattern=user@domain
Purpose Defines how long (in seconds) the Login Server waits for aresponse from the HTTP server. If the server does notrespond within the time defined by the setting, the requestis considered expired and user authentication failed.
Example: HTTPRequestTimeout=420
Range ofValues
60 1 minuteto600 10 minutes
Default Value 420 - 7 minutes
Purpose Specifies which HTTP method the BusinessObjectsPlanning Login Server uses when sending theauthentication request to the HTTP server.
Example: HTTPMethod=GET
Range of
Values
GET
POST
Default Value GET
-
8/8/2019 Business Objects Sec
66/100
Installing and Configuring BusinessObjects Planning Login Server
Starting the Login Server5
64 Configuring Security Guide
Starting the Login Server
If you configured BusinessObjects Planning Login Server for automatic
startup when you installed it, the server starts automatically when you startyour system. If you configured it for manual startup, you must manually start
the server using Windows Services.
To start the server manually using Windows Services, you must be a member
of the Windows Administrator group.
To start the BusinessObjects Planning Login Server:
1. From the Start menu, select Settings and Control Panel.
2. In the Control Panel, double-click Administrative Tools.
3. In the Administrative Tool dialog box, double-click Services.
4. In the Services dialog box, right-click BusinessObjects Planning LoginServerand select Start from the menu.
A message is displayed indicating that the Service is attempting to start the
BusinessObjects Planning Login Server.
Note: If the service does not start, or an error message is displayed, ensure
your Windows password is correct. To do this, right-click BusinessObjects
Planning Login Serverand select Properties. In the BusinessObjectsPlanning Site Login Service Properties dialog box, click the Log On tab. Re-
enter and re-confirm your password, click OK, and repeat step 3.
-
8/8/2019 Business Objects Sec
67/100
Installing and Configuring BusinessObjects Planning Login Server
Adding BusinessObjects Planning Login Server to your authentication scheme 5
Configuring Security Guide 65
Adding BusinessObjects Planning LoginServer to your authentication scheme
After BusinessObjects Planning Login Server has been installed and
configured, it must be added to your authentication scheme so that
BusinessObjects Planning directs any authentication requests through
BusinessObjects Planning Login Server and to whatever authentication
source has been configured. Adding BusinessObjects Planning Login Server
to your authentication scheme requires the following steps:
1. Launch the BusinessObjects Planning Security Configuration tool. See
Starting the Security configuration tool on page 69 for information on
how to do this.
2. Configure those applications that require authentication. See
Configuring the applications that require identity confirmation on
page 77 for information on how to do this.
3. Add the BusinessObjects Planning Login Server to your list of external
authentication servers. For information on adding BusinessObjects
Planning Login Server to your list of authentication servers, see
Configuring external authentication servers on page 83.
4. Close the tool.
Error reporting
Since BusinessObjects Planning Login Server runs under a local system
account, the BusinessObjects Planning shared folder is inaccessible to the
application. Therefore, Login Server does not log any messages into files
located on shared network resources, including the BusinessObjects
Planning shared folder. Instead, BusinessObjects Planning Login Server logs
internal errors, user authentication failures and successes, and any
diagnostics messages using the local machines Windows Event Log.
-
8/8/2019 Business Objects Sec
68/100
Installing and Configuring BusinessObjects Planning Login Server
Error reporting5
66 Configuring Security Guide
-
8/8/2019 Business Objects Sec
69/100
c h a p t
e r
Using the Security
Configuration Tool
-
8/8/2019 Business Objects Sec
70/100
Using the Security Configuration Tool
6
68 Configuring Security Guide
The BusinessObjects Planning Security Configuration tool configures
BusinessObjects Planning data repository access, BusinessObjects Planning
shared folder access, and user creation and authentication when gaining
access to BusinessObjects Planning.
This section provides information about:
Starting the Security configuration tool on page 69
Editing database access parameters on page 70
Configuring BusinessObjects Planning shared folder access on page 74
Configuring login account types on page 75
Configuring login confirmation on page 76
Configuring user auto-creation on page 79
Configuring external authentication servers on page 83
-
8/8/2019 Business Objects Sec
71/100
Using the Security Configuration Tool
Starting the Security configuration tool 6
Configuring Security Guide 69
Starting the Security configuration tool
BusinessObjects Planning Site Administrators can use the BusinessObjects
Planning Security Configuration tool to configure their site security settings.Warning: This tool should be used by BusinessObjects Planning site
administrators only. Before launching this tool, you must know the
BusinessObjects Planning site database password and you must have write
access to the BusinessObjects Planning configuration file, Planning.ini.
To start the Security Configuration tool:
1. Expand the Site and Tools folder on the installation CD or network share
and run CtpSecConfig.exe.
2. In the BusinessObjects Planning Site Shared Folder dialog box, in the
Folder text box, type the path to the BusinessObjects Planning sites
shared folder, or click Browse to specify a location.
Note: This dialog box is not shown if your registry settings already point
to a valid shared folder.
3. In the Password text box, type the password to the BusinessObjects
Planning data repository. This is the same password that was created
during the installation of the BusinessObjects Planning site.
4. Click OK.
-
8/8/2019 Business Objects Sec
72/100
Using the Security Configuration Tool
Editing database access parameters6
70 Configuring Security Guide
Editing database access parameters
If the BusinessObjects Planning sites database or database server has been
moved or renamed, the corresponding site configuration settings must beupdated.
With the Security Configuration tool, you can edit the following database
access parameters:
Database attributes
Database account
Database password
Note: Depending on how your database has been configured, you may be
required to have appropriate rights and privileges to perform these actions.
To edit the database access parameters, on the Database page, clickChange.
-
8/8/2019 Business Objects Sec
73/100
Using the Security Configuration Tool
Editing database access parameters 6
Configuring Security Guide 71
Editing the database attributes
The database attributes specify the database server name, the database
name, and the data source name to be used in ODBC connections.
To edit the database attributes:
1. On the Database And Account page, select the Change database
attributes check box.
2. In the Database server text box, type the name of the new database
server.
3. In the Database name text box, type the name of the database.
-
8/8/2019 Business Objects Sec
74/100
Using the Security Configuration Tool
Editing database access parameters6
72 Configuring Security Guide
4. In the Data source name text box, type the name of the data source. This
name will be used to create ODBC connections to the database.
5. Click OK.
Editing the database account
The database account specifies the account name to be used to connect to
the database.
To edit the database account:
1. On the Database And Account page, select the Account check box.
2. In the Account text box, type the name of the new account.
-
8/8/2019 Business Objects Sec
75/100
Using the Security Configuration Tool
Editing database access parameters 6
Configuring Security Guide 73
Note: This account must exist in the database and have rights to access
the BusinessObjects Planning database, otherwise client applications
cannot connect.
3. Click OK.
Note: This change causes the connection to the database to close. You must
restart the Security Configuration tool to continue working with it.
Editing the database password
The database password specifies the password to be used to connect to the
database.
To edit the database password:
1. On the Database And Account page, select the Password check box.
2. In the Password text box, type the new password.
3. In the Type it again text box, retype the new password.
4. Select the Update also in the database check box to update the
password in the database if the password has not been updated there
yet.
5. Click OK.
Note: This change causes the connection to the database to close. You must
restart the Security Configuration tool to continue working with it.
-
8/8/2019 Business Objects Sec
76/100
Using the Security Configuration Tool
Configuring BusinessObjects Planning shared folder access6
74 Configuring Security Guide
Configuring BusinessObjects Planningshared folder access
By default, BusinessObjects Planning uses Windows authentication to
authenticate its users. However, there may be some BusinessObjects
Planning users who are not working from a Windows domain. The Security
Configuration tool allows an administrator to redirect all unauthenticated
accounts to use a dedicated Windows domain account.
The shared folder configuration settings are saved in the [Planning] section of
the shared Planning.ini file.
Note: A dedicated account must be created before default user access can
be configured. This account must be granted full rights (read, write, modify,
control) on the BusinessObjects Planning shared folder.
To configure shared folder access:
1. Click the Protection tab.
2. On the Protection page, click Change.
3. In the User name text box, type the domain and name of the dedicated
account.
4. In the Password text box, type the password for the account.
5. In the Confirm password text box, retype the password for the account.
6. Click OK.
Parameter Description
SharedDirectoryAccount The account to use.SharedDirectoryPassword The encrypted password for the account.
-
8/8/2019 Business Objects Sec
77/100
Using the Security Configuration Tool
Configuring login account types 6
Configuring Security Guide 75
Configuring login account types
By default, BusinessObjects Planning uses Windows authentication to
authenticate its users. Using the Security Configuration tool, you can enableyour site authentication through other pre-configured types of user accounts.
To configure the login account types:
1. Click the Accounts tab. The types of accounts are listed in the order that
they are checked when a user logs in.
2. To add a type of user account to BusinessObjects Planning
authentication, click Add.
3. Select the type of account to add from the account list.
4. Click OK.
-
8/8/2019 Business Objects Sec
78/100
Using the Security Configuration Tool
Configuring login confirmation6
76 Configuring Security Guide
5. Select the Remember the last login and use it next time check box if
you want the last used type of account to be remembered for each user.
When the user logs in again, the last used type of account is used first to
authenticate that user.
6. To remove an account, select the account you want to remove from the
Type of account list and click Remove.
7. To change the order in which accounts are checked, select an account
from the Type of account list and click Up orDown.
8. Click Apply.
Configuring login confirmation
Depending on the level of security your organization requires, you can
configure BusinessObjects Planning applications to force users to confirmtheir identity every time they launch a BusinessObjects Planning application.
The security configuration tool allows you to perform the following actions
when configuring login confirmation:
Enable identity confirmation
Configure the applications that require identity confirmation
Edit application properties
Enabling identity confirmation
When identity confirmation is enabled, users must type in their username and
password every time they login to BusinessObjects Planning.
To enable identity confirmation:
1. Click the Confirmation tab.
-
8/8/2019 Business Objects Sec
79/100
Using the Security Configuration Tool
Configuring login confirmation 6
Configuring Security Guide 77
2. Select the Identity confirmation is required check box.
3. Select when a user must confirm their identity. The options are:
Mandatory for every userEvery time a user logs in they mustenter their username and password
For not yet registered users onlyUnregistered users must entertheir username and password the first time they use
BusinessObjects Planning
Optional for pre-authenticated usersThe username andpassword text boxes are pre-filled for pre-authenticated users. A
different username and password can be entered if the user wants to
log in as a different user.
4. Click Apply.
Configuring the applications that require identityconfirmation
Once identity confirmation is enabled, you can specify which
BusinessObjects Planning applications require identity confirmation.
-
8/8/2019 Business Objects Sec
80/100
Using the Security Configuration Tool
Configuring login confirmation6
78 Configuring Security Guide
To configure which applications require identity confirmation:
1. On the Confirmation page, in the Application list, view the list of
BusinessObjects Planning applications that require identity confirmation.
2. To add an application, click Add.3. Select the application to add from the application list.
4. Select the User may edit identity attributes check box if you want to
allow users to log into BusinessObjects Planning with an account
different from the one they are currently using on their workstation.5. Click OK.
6. To remove an application, select the BusinessObjects Planning
application from the Application list and click Remove.
7. Click Apply.
Editing application properties
You can configure whether users are allowed to log into BusinessObjects
Planning with an account that is different from the one they are currently using
on their workstation.
To edit an applications properties:
1. Select the application from the Application list and click Properties.
2. Select the User may edit identity attributes check box if you want to
allow users to log into BusinessObjects Planning with an account
different from the one they are currently using on their workstation.
OR
Clear the User may edit identity attributes check box if you want to
force users to log into BusinessObjects Planning with the account they
are currently using on their workstation.
-
8/8/2019 Business Objects Sec
81/100
Using the Security Configuration Tool
Configuring user auto-creation 6
Configuring Security Guide 79
3. Click OK.
4. Click Apply.
Configuring user auto-creationWhen a new user attempts to gain access to BusinessObjects Planning, you
can configure whether to register them with BusinessObjects Planning